Zero trust has become one of those terms that means everything and nothing. For SMEs, the reality is simpler than the marketing suggests: you already have most of the tools you need if you’re on Microsoft 365 Business Premium or E3.

Start with identity

Conditional access policies in Azure AD are your foundation. Require MFA for all users, block legacy authentication, and enforce device compliance. These three policies alone eliminate the majority of identity-based attacks.

Layer in device trust

Intune compliance policies let you define what a “healthy” device looks like — encrypted disk, up-to-date OS, active EDR. Conditional access then uses this signal to gate access to corporate resources. No compliant device, no access.

Network considerations

For most SMEs, the network perimeter is already gone. Your users are on home broadband, coffee shop WiFi, and mobile data. Accept this reality and design accordingly — every access request should be verified regardless of network location.

This is a stub article — expand with your full content.